Author: sFqRy
First, file system
Second, backup
Third, improve system internal security mechanism
Fourth, set the trap and honeypot
5. I will destroy the invasion in the germination state
6. Anti-attack detection
Seven, improve login
Eight, use a single sign-on
Nine, master the latest safety products and technology
Ten, multi-tube
Since the Linux operating system is a free operating system for open source, there is a welcome to more and more users. With the continuous spread of the Linux operating system, the relevant government departments will increase the HOXUX development-based operating system to the height of the security national information security, so we are not difficult to predict future Linux operating system in my country. Get faster and more developed. Although Linux is very similar to UNIX, there are some important differences between them. For a wide range of system administrators who are accustomed to UNIX and Windows NT, how to ensure that Linux operating systems will face many new challenges. This article introduces a range of practical experience in Linux security management.
First, file system
In the Linux system, install separate primary partitions for different applications, respectively, set key partitions to read-only will greatly improve the security of file systems. This mainly involves only the addition (only) of the EXT2 file system of Linux itself and the two major properties.
● The file system of the file partition Linux can be divided into several major partitions, each partitions separately different configurations and installations, respectively, at least to establish /, / usr / local, / var, and / home and other partitions. / USR can be installed to read only and can be considered unmodified. If any files have changed in / usr, the system will immediately issue a security alarm. Of course, this does not include the content of the user to change / usr. The installation and settings of / lib, / boot, and / sbin are the same. At the time of installation, try to be set to read-only, and any modifications to their files, directory, and properties will cause the system alarm.
Of course, all major partitions are set to read-only, some partitions such as / var, and their own nature determines that they cannot be set to read-only, but should not allow it to have execution permission.
● Extending EXT2 uses only and unality on the EXT2 file system These two file properties can further increase the security level. Unality and only adding properties is just two ways to extend the properties of the EXT2 file system. A file labeled as a non-variable cannot be modified, or even modified by root users. A file that is marked as only added can be modified, but can only add content behind it, even if the root user can only do.
These properties of the file can be modified by the chattr command. If you want to view its property value, you can use the lsattr command. To learn more about the EXT2 file properties, you can use the command man chattr to seek help. These two file attributes are useful when detecting hackers attempts to install the invasive back door in existing files. For security reasons, once the activity is detected, it should immediately stop and issue alarm information.
If your key file system is installed in read-only and files are marked as unstreliable, intruders must reinstall the system to delete these non-variable files, but this will have an alarm immediately, which greatly reduces the illegal intrusion. opportunity.
● Protecting the Log file When you use the log file and log backups, you cannot use these two file properties especially useful. System administrators should set the active log file properties to only add. When the log is updated, the newly generated Log backup file properties should be set to become informants, and the new activity log file attribute becomes only added. This usually needs to add some control commands to the log update script.
Second, backup
After the installation of the Linux system, the entire system should be backed up, and the system's integrity can be verified according to this backup, so that the system file can be found to be illegally tampering. If the system file has been broken, you can also use the system backup to return to the normal state.
● CD-ROM backup currently the best system backup media is a CD-ROM disc, which can periodically compare the system to the disc content to verify whether the integrity of the system is destroyed. If the requirements for the security level are particularly high, the disc is set to be bootable and verified as part of the system startup process. This will not be destroyed by the system through the CD. If you have created a read-only partition, you can reload them regularly from the disc image. Even like / boot, / lib, and / sbin cannot be installed into a read-only partition, you can still check them according to the disc image, and even re-download them from another secure image at startup.
● Other ways of backups Although many files in / ETC often change, many of the contents in / etc can still be placed on the disc for system integrity verification. Other files that do not modify often, you can back up to another system (such as tape) or compressed into a read-only directory. This approach can perform additional system integrity check on the basis of verification using an optical disc image.
Since most of the operating systems are now available with CD, it is very convenient to make a CD-ROM emergency boot disk or verification disk operation. It is a very effective and feasible verification method.
Third, improve system internal security mechanism
You can prevent the buffer overflow attack by improving the internal functions of the Linux operating system, and the hitting method of extremely difficult but the most difficult to prevent, although such improvements require system administrators to have considerable experience and skills, for many pairs The Linux system with high security level is still necessary.
● Safety Linux patch Solaris Designer for the 2.0 version of the kernel is provided with an incapaci stack to reduce the threat of buffer overflow, thereby greatly improve the security of the entire system.
The buffer overflow is quite difficult because the intruder must be able to determine when the potential buffer overflow will appear and what position it in memory appears. The buffer overflows are also very difficult, and the system administrator must completely remove the condition of the buffer overflow to prevent attacks in this way. Because of this, many people even include Linux Torvalds and think that this security Linux patch is important because it prevents all attacks that use buffers overflow. However, it is necessary to pay attention to these patches will also lead to a new challenge to system administrators to certain programs and libraries of the execution stack.
Unauthorless stack fixes have been distributed in many secure mailing lists (such as SecureDistros@nl.linux.org), and users can easily download them.
● StackGuardStackGuard is a very powerful security patch tool. You can recompile and link key applications with GCC versions repaired by StackGuard.
StackGuard is compiled to prevent stack checks to prevent the hit attack buffer from overflow, although this will lead to a slightly decline in the system, but the STACKGUARD is still a very tubeful tool for a particular application of the security level requirement.
There is already a Linux version that uses Safeguard, and users will easily use STACKGUARD. Although using StackGuard can cause system performance to decrease approximately 10 to 20%, it prevents the entire buffer from overflowing this type of attack.
● Add a new access control function Linux version 2.3, in tries to implement an access control list in the file system, which can add more details on the original three-class (owner, group, and other) access control mechanisms. Access control.
A new access control feature will also be developed in the Linux kernel of 2.2 and version 2.3, which will eventually affect some issues related to the EXT2 file properties. It provides a more accurate security control feature compared to traditional EXT2 file systems. With this new feature, the application will be able to access certain system resources without superuser privileges, such as initial kits.
● Access control based on rule sets The current Linux community is developing a rule-based access control (RSBAC) project, which claims to enable the Linux operating system to implement B1 security. RSBAC is an extension framework based on access control and extending a number of system call methods that support a variety of different access and authentication methods. This is a very useful for extension and strengthening the internal and local security of the Linux system. Fourth, set the trap and honeypot
The so-called trap is activated software that can trigger alarm event, while honeypot programs refer to design to attract invaders to trigger a special alarm trap. By setting traps and honeypot procedures, once the intrusion event system can make a alarm. In many large networks, there is generally designed a special trap. Trap programs are generally divided into two: one is only discovered invaders without taking retaliating action, the other is to take a revenge action.
A common way to set up honeyps is to deliberately claim that the Linux system uses an IMAP server version with a number of vulnerabilities. When the intruder makes a large-capacity port scan for these IMAP servers, it will fall into the trap and inspire the system alarm.
Another example of another honeypot is a very famous PHF, which is a very fragile web cgi-bin script. The initial PHF is a design to find a phone number, but it has a serious security hole: allows intruders to use it to get system password files or other malicious operations. The system administrator can set a fake PHF script, but it is not sent to the intruder in the system's password file, but returns some fake information to the intruder and simultaneously issues a alarm to the system administrator.
Another type of honeypot trap can immediately reject the invader to continue access by setting the intruder's IP address to a blacklist in the firewall. Rejecting unfriendly access can be either short-term or long. The firewall code in the Linux kernel is very suitable for this.
5. I will destroy the invasion in the germination state
One thing that is most common before the invader is attacking the end scan, and if it is possible to find and prevent the end of the invader from scanning behavior, then the incidence of intrusion events can be greatly reduced. The reaction system can be a simple state checking package filter, or a complex intrusion detection system or a configurable firewall.
● ABACUS PORT SENTRYABACUS Port Sentry is an open source toolkit that monitors the network interface and interact with the firewall to turn off the port scan attack. When a port scan occurs, ABACUS SENTRY can quickly block it from continuing. However, if it is configured, it may also allow hostile exporters to install denial of service attacks in your system.
ABACUS PortSentry If you use a transparent agent tool in Linux to provide a very effective intrusion prevention measures. This can redirect unused ports to all IP addresses to Port Sentry, and Port Sentry can detect and block port scans before the invader takes further action.
ABACUS Port Sentry can detect Slow Scan, but it cannot detect Structured Attack. These two ways ultimate goals must be tried to cover up the attack intent. Slow sweep is done by dispersing port scan to a long time, while in structured attacks, attackers try to cover their true attack targets by sweating or detecting multiple source addresses.
Correctly using this software will effectively prevent a large number of parallel scans on the IMAP service and prevent all such intruders. ABACUS SENTRY is most effective when using the IPChains tool for the Linux 2.2 kernel, and IPchains can automatically use all port to scan behavior to Port Sentry.
The Linux 2.0 kernel can be patched using ipchains, and ABACUS Port Sentry can also be used with IPFWADM tools in the earlier version 2.2, and IPFWADM is later replaced by Ipchains after version 2.2.
The ABACUS Port Sentry can also be configured to react to the UDP scan on the Linux system, or even react with various semi-sweepers, such as the FIN scan, this scan attempts to pass only a small probe package rather than Establish a real connection to avoid being discovered. Of course, better ways is to use specialized intrusion detection systems, such as ISS's RealSecure, etc., they can reconfigure firewalls based on intrusion alarms and attack signatures. But such products are generally high, and the popular users have difficulty inadvertently.
6. Anti-attack detection
The system mainly prevents invasion by preventing intrusion, and anti-attack system can reverse port scan or initiate other attacks, which makes invaders not only invaded the conspiracy, but "wolf into the room", incur a counter attack.
Some safety systems such as ABACUS SENTRY have certain counter-attack capabilities. For example, some sites have to prevent users from being connected via Telnet, and when answering Telnet connection requests, the system will return some unwelcome malicious information. This is just a simplest and most slight anti-attack measures.
Under normal circumstances, the anti-attack function is not advocated because such anti-attack measures are easily illegally used to attack other systems.
Seven, improve login
The server moves the system's login server to a separate machine to increase the security level of the system, using a more secure login server to replace Linux own login tools to further improve security.
In a large Linux network, it is best to use a separate login server for Syslog services. It must be a server system that satisfies all system login requirements and has enough disk space, and there should be no other service running on this system. The safer login server will greatly weaken the ability of the invader to change the log file through the login system.
● Safety syslog Even if you use a separate login server, Linux itself's Syslog tool is quite unsafe. Therefore, some people have developed a so-called secure log server, integrating password signatures into the log. This will ensure that the intruder cannot be discovered even after tampering the system log. Now the most commonly used security log server for replacing Syslog is called "Safe Syslog (SSYSLONG)", users can from the Core SDI site
This tool is downloaded at http://www.core-sdi.com/ssylog. This daemon implements a password protocol called PEQ-1 to implement remote audits for system logs. Even if the intruder obtains the system superuser privilege, it is still possible to audit because the protocol guarantees that the log information in the previous and intrusion is not available (on the remote trusted host), cannot be modified.
● Syslog-Ng Another replacement of Syslog is syslog-ng (next generation syslog). This is a more configurable daemon, which provides password signature to detect tampering to log files. The password security login server and the remote audit function can make the intruder very difficult to make log tampering and very easy to detect such a bad entry. User can
Www.babit.hu/products/syslog-ng.html Download this tool.
Eight, use a single sign-on
Multiple user accounts in the system maintenance dispersed large network environment are a very headache for system administrators. There are now some single login (SIGN ON) systems not only reduce the burden of administrators, but also increase the security level.
Network Information Service (NIS) is a good single login system, which develops on Sun's Yellow Page service, its basic security features are not healthier enough, because there are some bugs and vulnerabilities to be announced, So some people joked it to the Network Intruder Service. NIS's updated version NIS original NIS has improved, and now there is already a NIS version for Linux.
Kerberos is also a very well-known single login system. Kerberos V4 has some very well-known security vulnerabilities, such as intruders can take out the exhaustion of Kerberos cookies offline without being discovered. Ketberos V5 has greatly improved, and there will be no longer V4 problem. In large networks, although there is a single login system like NIS and Kerberos, it is also unfavorable. On the one hand, there is a certification mechanism on different systems to help isolate the function and reduce its effects between them with other services. On the other hand, once a certain account in one system is destroyed, all systems that can be accessed through this account will also be destroyed. Therefore, in a single login system, a password word having a higher deflection level is specifically requested.
Windows-based networks have their own single sign-in system in the Windows NT domain system. The Linux system can be authenticated according to the Windows system. This allows users to modify, maintain, and manage their accounts and passwords under Windows systems and modifying the results in the UNIX login. If you use PAM_SMB, the Linux system can be authenticated according to Windows SMB Domain. This is quite convenient in the network management in Windows Network, but it also brings some unsafe of the Windows authentication system itself.
Nine, master the latest safety products and technology
As a system administrator, it is also necessary to track the development trend of Linux security technology, and use more advanced Linux security tools in time. At present, there are many research and development projects on Linux security. At least three security Linux projects have been launched, and each project has their own focus, they are:
● Safety Linux (Secure Linux) Security Linux (
Www.reseau.nl/securelinux The goal is to provide a secure Linux distribution for the Internet server system. The project manager is seeking to integrate powerful passwords in this product and some additional web server features. Since it is created outside of the United States, people are expected to be able to get improved password security without being limited by the US security product export law.
● Bastille Linuxbastille Linux (
www.bastille-linux.org) The project seeks to create a standard similar to OpenBSD in the Linux environment. The project claims to create a safe distribution for desktops so that network managers can worry about user security.
● Kha0s Linuxkha0s Linux (
Www.kha0s.org is looking for minimal security Linux distribution with strong encryption and OpenBSD security policies. The team is currently requested on its Web site to participate in and cooperate with global users and vendors.
In addition, the following two points are also useful for administrators to improve Linux security management levels:
Access Secure Linux Mail Columns Perform a list of mail lists for Linux secure, such as SecureDistros @ nl.linux.org, KH A0S-DEV@kha0s.org, etc., often access these mailing lists can get a lot of security information.
There is another universal mailing list is security-audit@ferret.lmh.ox.ac.uk, which is a security audit specifically discussed source code. This list may have a lot of repetition with other mailing lists, but if you want to know the source code audit and related security issues, it is worth reading.
Ten, multi-tube
